Cyberwar and Peace
Fintech on the front line.
Dateline: Woking, 24th April 2022.
I was invited on to a BBC radio show (The Jeremy Vine show, 8th March 2022, if you are interested) to comment on the war in Ukraine. Since I know absolutely nothing about Russian mechanised infantry tactics or the relative effectiveness of reactive tank armour against man-portable missiles I was, as you may have already guessed, there to talk about financial services with respect to sanctions and Russian payment systems.
Payment systems, in particular, have been a focus of attention. Many fintechs, such as the UK’s Wise multi-currency transfer service which has “temporarily stopped” transfers in Russian rubles, are doing their bit to contribute to the pressure on the Russian government.
Visa, Mastercard, PayPal and others have blocked access to the Russian market. As a result there are cash shortages and e-commerce will be extremely difficult.
Note that domestic payments are unaffected, because Russia has spent the last eight years developing the National Card Payment System (NSPK) to process card transactions. Visa and Mastercard were forced on to these rails a few years ago, a policy that I am sure has not gone unnoticed in some other jurisdictions concerned about the position of American networks in the critical infrastructure of their economies.
(The Russian domestic debit scheme, Mir, runs on these rails too. Mir was launched in 2015 after three options were considered for the scheme — using UnionPay, opening up the Sberbank network or creating the new system.)
At the beginning of the conflict, commentators observed that Russian banks might turn to China’s UnionPay to replace Visa/Mastercard for cross-border use but Russian media are now reporting that UnionPay, has stepped back from discussions with those banks (for fear of being sanctioned) in turn.
When it comes to cryptocurrency (estimates are that Russians hold some $200 billion in cryptocurrencies, more than a tenth of the total) exchanges such as Coinbase, Kraken and Binance have blocked accounts connected to sanctioned individuals and entities. At the same time supporters are whizzing cryptocoin donations into Ukraine.
(Bitcoin isn’t a good choice for sanctions busting either way, I would have thought. People who use it to avoid sanctions on Russia are leaving a permanent record for the US authorities to track at their leisure and people who use it to send support to Ukraine are leaving an immutable record for Mr. Putin to peruse at leisure, I would have thought).
Instead of the cyberwars of science fiction we have the fintech wars involving cryptocurrency exchanges, payment cards and remittance systems. While these battles by themselves may not bring the war to a halt, they will certainly communicate the right messages to smartphone-wielding government officials and their families.
Whether those disgruntled Muscovites who found that their Apple Pay no longer gets them into the subway will form an effective pressure group I couldn't say, but the world's displeasure has at least been made clear to them. A personal assistant to several oligarchs on the St George's Hill Estate in Surrey, which is an exclusive gated enclave where a third of residents are Russian, told a British newspaper that she was taking several calls every day from Russian billionaires asking her to help them with blocked credit card problems, saying that "They ask if they can use my address when they apply for new cards to avoid the sanctions. I just put the phone down".
The oligarchs who discover that their Visa card no longer works in Harrods will hopefully communicate their frustrations to the Russian leadership and although I can well imagine Mr. Putin pushing their concerns aside ("How many divisions does fintech have?"), these continuous inconveniences will hopefully act as a constant reminder of Western displeasure.
(European fintechs are helping in other interesting ways. Zopa, in London, has offered sponsorship of 50 work visas for Ukrainians who flee to the UK. Applicants must have a background in engineering, technology, and data analytics or experience in consumer financial services. Some people are anticipating a fintech brain drain from Russia in the coming months as well.)
Social Media Subversion
The BBC's disinformation correspondent talking on that same radio show made some interesting points about how social media wars, rather than cyberwars, seem to be the order of the day and I am sure she was right to point in this direction. I do not mean social media as in propaganda but social media as an actual weapon of war.
The use of social media seems a cost-effective and practical adjunct to conventional weapons. The Wall Street Journal reported on the use of social media on the battlefield, referring to a NATO exercise in which a “red team” was tasked with disrupting the operations of a group of soldiers. It cost them $60 to rent some Russian bots to get hold of identities and contact details of the soldiers. The attackers then engaged the targets on Facebook and Instagram to map out connections between troops, find out where they were (to within 1,000 metres) and even persuade them to send selfies (to find out what equipment they had). NATO’s conclusion was that the “level of personal information we found was very detailed and enabled us to instill [sic] undesirable behaviour… Every time we attempted to manipulate behaviours, we succeeded”.
Wow. Not some of the time. Or even most of the time. But every time.
Soldiers being what they are, the internet has proved to be a fifth column, whether it is because of soldiers giving away the location of secret facilities by jogging around them while wearing fitness trackers or, as appears to have happened on the borders of Ukraine, trying to get dates on Tinder and giving away military machinations in the process. Presumably with this evidence to hand, the British Army has banned WhatsApp completely because of concerns that Russia might be exploiting the platform to obtain sensitive information (eg, troops’ deployments).
(Rather oddly, the UK media have at the same time been reporting that the Prime Minister, Mr. Johnson, gets details of vital government business sent to him via WhatsApp, a fact revealed by some papers filed in court here.)
Where Is Our Cyberwar?
Anyway, other than fintech in the front line and subversion by social media, the BBC conversation included a discussion of cyberwarfare, and I made the point that I thought the role of cyberwar in conflict had been overestimated. Bruce Schneier, one of the world's leading experts on cybersecurity, made a similar point recently, writing in Schneier on Security (10th March 2022) that it has been interesting to notice how unimportant and ineffective cyber operations have been in the Russia-Ukraine war. Ian Levy, Technical Director of the UK's National Cyber Security Centre reinforced this view when he wrote recently that the invasion of Ukraine has made many observers reconsider how we see the world and, in particular, how Russia might also use cyber operations. He noted that “we've not seen - and don't expect to see - the massive, global cyber attacks that some had predicted”.
I share his surprise, especially given the general vulnerabilities of the internet of things (IoT) infrastructure. At the recent hackers convention “Pwn2Own” in Miami, the targets were all industrial control systems that run critical facilities and as the MIT Technology Review reported, nearly every piece of software offered up as a target fell to the hackers. A notable target was the Iconics Genesis64 human-machine interface tool that hackers can break into to bring down critical targets while fooling the human operators of the systems into thinking they are running normally. It was hacked at least six times in Miami, giving attackers full control and a total of $75,000 in prize money.
One of the Dutch researchers who took home the $90,000 main prize, Daan Keuper, said that “In industrial control systems, there is still so much low-hanging fruit…The security is lagging behind badly”. Indeed, and that’s why I thought that the Russian military supply chain would be hit in this way (rather than, as appears to be the case, reassuringly traditional arson attacks).
That's not to say that there are no cyberattacks, of course. Security Week notes that Russia had already tested cyber operations against the Ukrainian power grid in 2015 and late 2016 yet when it came to the invasion it used old-fashioned boots on the ground to capture a nuclear power plant. We might speculate that was because it couldn’t take the plant offline via the matrix or whether it was as a part of a plan to occupy Ukraine (which would require leaving the infrastructure largely operational) but nonetheless it was all rather conventional.
As far I can see, Ukrainian networks (transport, communications and energy) have been under cyberattack but have largely remained resilient (as noted in the FT recently) apart from government websites being defaced. In practice, the infrastructure has gone down only after a continuous heavy bombardment had taken out the physical infrastructure (as seen in Mariupol).
Overall then it seems as if cyberwar hasn’t really done much to change the direction of the conflict. Yes, hackers claim to have broken into dozens of Russian institutions (including the Russian internet censor) and yes hackers can temporarily mess up the rail networks in Belarus and Poland, or deface government websites in Russia and Ukraine, but that's a long way from having Fulcrums drop out of the sky because of a virus in command and control systems.